A flexible authorization mechanism for relational data management systems

In this article, we present an authorization model that can be used to expr ess a number of discretionary access control policies for relational data m anagement systems. The model permits both positive and negative authorizati ons and supports exceptions at the same time. The model is flexible in that the users can specify, for each authorization they grant, whether the auth orization can allow for exceptions or whether it must be strongly obeyed. I t provides authorization management for groups with exceptions at any level of the group hierarchy, and temporary suspension of authorizations. The mo del supports ownership together with decentralized administration of author izations. Administrative privileges can also be restricted so that owners r etain control over their tables.